This Google Chrome Security Exploit Must Be Seen To Be Believed -- What You Need To Know

Cybersecurity
I report and analyse breaking cybersecurity and privacy stories

Getty

Developer James Fisher has created a proof of concept exploit for the Google Chrome Android web browser that is so effective that he admits to being fooled by it himself. The "inception bar" security exploit relies upon something known as a picture-in-picture or "line of death" vulnerability whereby an attacker gains control over a block of pixels within an application. If the attacker replaces the default pixels with something that looks like the user interface itself, well the potential threat is pretty obvious. What Fisher has done is take this attack methodology and apply it in the context of the Google Chrome web browser for Android which has a disappearing address bar when the user scrolls the screen on their mobile device. By replacing the address bar in this scrolling scenario, Fisher can fool the user into thinking they are on a completely different site than they actually are. But it gets even worse when you explore the proof of concept further.

Proof of concept

If you visit the blog page where Fisher describes his exploit, using the Chrome browser on an Android smartphone, as soon as you start scrolling you will see that you appear to be at hsbc.com, one of the largest banks in the world. This is because the Chrome browser hides the address bar when you start scrolling, releasing more screen estate for the content to display in. This screen space is, effectively, handed over to the web page being displayed. Which is all well and good unless, as Fisher demonstrates, that web page happens to belong to someone with criminal intent. In a phishing scenario, for example, being able to display the real URL on a fake site will ramp up trust in the victim and could lead to sensitive data being compromised or fraud as a result. Things get worse when you realize that Fisher has also found a way to prevent Chrome from re-displaying the original address bar when the user scrolls up. By moving the entire content of the page into to what he describes as "scroll jail," a browser within the browser, Fisher makes the exploit even harder to spot. This is compounded by preventing Chrome from re-displaying the actual URL when the user scrolls back to the top of the page by inserting a tall "padding" element that mimics a page refresh and automatically scrolls them back down to the start of the content instead.

The wider threat potential

While Fisher only developed a proof of concept exploit for Chrome on Android, because services that open links inside a "WebView" also have the collapsing address bar function, it could potentially be just as viable when used in applications such as LinkedIn and Twitter outside of the Chrome browser ecosystem. I spoke to Fisher this morning and he told me that it would be "perhaps a day of work" for a threat actor to create a more dynamic version of the inception bar and introduce interactivity into the exploit. "I considered extending my version this weekend with an interactive bar," Fisher says, "when you enter the fake URL bar it would prompt you with Gmail as part of your commonly visited sites and serve a fake Gmail login if you select it."

What should Google do?

Fisher was clear that he sees this as a security flaw in Chrome but told me that he had not approached Google with the details as "the Chrome bug bounty scheme doesn't seem to cover new phishing methods." I contacted Google earlier today for comment regarding the inception bar exploit, but at the time of publication none had been forthcoming. According to Fisher, Google needs to address the trade-off between maximizing screen space and retaining trusted screen space. He suggests that Google could allow Chrome to retain some space above the line of death, rather than hand all of this to the web page and use it "to signal when the URL bar is currently collapsed by displaying the shadow of an almost-hidden URL bar." Gavin Millard, vice-president of intelligence at security vendor Tenable, agrees. "Whilst the proof of concept by Mr. Fisher isn't perfect," Millard says, "Google and others should consider implementing mitigation techniques to make the demarcation between browser UI and web content more obvious." Chris Doman, a security researcher for AT&T Alien Labs, also thinks that it's something Google needs to address. "This kind of fake UI is surprisingly tricky to block in all cases," Doman explains, "but Google can detect exact copy-cats of James's code fairly easily. A saving grace is this requires you to scroll down first, but it's also trivial to auto scroll down a page."

What can the user do?

There is no real mitigation that can help the user, because they would all require the user to realize they are actually in the inception bar jail in the first place. However, turning it off and on again would work; toggle the lock screen or exit to another app and switch back again. If you swipe down on the inception bar itself to refresh it, this also escapes the jail. However, as I say, few people will do any of this for every site they visit. Jake Moore, a security specialist with ESET, says the inception bar exploit "has always been a theoretical possibility and a nightmare for security professionals." Not least as it's so difficult for the average user to notice. "It would be very easy for someone without the knowledge to be fooled by this," Moore continues, "however, it comes into question how the user may have landed on the site." Which means that the ultimate mitigation is being aware of basic good security hygiene to prevent the clicking of rogue links in the first place...